In this episode, we unpack one of the most common questions in the CMMC space: What actually triggers a reassessment? From changes in CUI flow to infrastructure shifts and company acquisitions, we break down when you might need to re-certify—and what’s still awaiting clarity from the DoD.

We also share lessons learned from the field, including common missteps organizations are making in cloud environments. Misconfigured policies, inherited templates, and SSPs that don’t reflect reality are tripping up otherwise prepared teams.

Next, we take a closer look at the Shared Responsibility Model. Your External Service Provider (ESP) can’t carry the full weight of compliance. We explain what controls can be inherited, what’s shared, and where your organization is ultimately accountable.

Then we dive into key updates on 48 CFR—the rule that puts CMMC into contracts. With final review underway, we discuss what the phased rollout may look like, enforcement timelines, and how this will impact existing agreements.

Finally, don’t miss the live Q&A segment, where we tackle everything from overseas CUI control obligations to M365 scoping confusion and the new six-year evidence retention rule.

Tune in & take notes!

CMMC Connect happens every last Thursday at 1 PM ET. Register: redspin.com/events/cmmc-connect

Subscribe to Cyberspin on Apple iTunes, Spotify, or your preferred podcast platform. You can always stream the latest episodes at redspin.com.